transformers 5.6.0

Direct Vulnerabilities

Known vulnerabilities in the transformers package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Arbitrary Code Injection transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Arbitrary Code Injection via the `convert_config` function. An attacker can execute arbitrary code by supplying a malicious checkpoint file that is processed without proper validation. Note: The report of this vulnerability was rejected by the package's maintainers. See the project's security policy for more information. How to fix Arbitrary Code Injection? There is no fixed version for `transformers`.	[0,)
H Arbitrary Code Injection transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Arbitrary Code Injection via the `convert_config` function. An attacker can execute arbitrary code by supplying a malicious checkpoint file that is processed without proper validation. Note: The report of this vulnerability was rejected by the package's maintainers. See the project's security policy for more information. How to fix Arbitrary Code Injection? There is no fixed version for `transformers`.	[0,)
H Deserialization of Untrusted Data transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing process of model files. An attacker can execute arbitrary code in the context of the current user by tricking a user into opening a malicious file or visiting a malicious page that triggers deserialization of untrusted data. Note: The report of this vulnerability was rejected by the package's maintainers. See the project's security policy for more information. How to fix Deserialization of Untrusted Data? There is no fixed version for `transformers`.	[0,)
H Deserialization of Untrusted Data transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `megatron_gpt2` process. An attacker can achieve arbitrary code execution by tricking a user into opening a malicious file or visiting a crafted page that triggers deserialization of untrusted data. Note: The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information. How to fix Deserialization of Untrusted Data? There is no fixed version for `transformers`.	[0,)
H Arbitrary Code Injection transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Arbitrary Code Injection via the `convert_config` function. An attacker can execute arbitrary code by supplying a crafted checkpoint file that is processed without proper validation. Note: The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information. How to fix Arbitrary Code Injection? There is no fixed version for `transformers`.	[0,)
H Deserialization of Untrusted Data transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the parsing of checkpoints. An attacker can achieve arbitrary code execution by tricking a user into opening a malicious checkpoint file. Note: The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information. How to fix Deserialization of Untrusted Data? There is no fixed version for `transformers`.	[0,)
H Deserialization of Untrusted Data transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing of weights. An attacker can execute arbitrary code by tricking a user into visiting a malicious page or opening a malicious file that triggers deserialization of untrusted data. Note: The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information. How to fix Deserialization of Untrusted Data? There is no fixed version for `transformers`.	[0,)

Vulnerability

Vulnerable Version

Arbitrary Code Injection

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Arbitrary Code Injection via the convert_config function. An attacker can execute arbitrary code by supplying a malicious checkpoint file that is processed without proper validation.

Note:

The report of this vulnerability was rejected by the package's maintainers. See the project's security policy for more information.

How to fix Arbitrary Code Injection?

There is no fixed version for transformers.

[0,)

Arbitrary Code Injection

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Note:

The report of this vulnerability was rejected by the package's maintainers. See the project's security policy for more information.

How to fix Arbitrary Code Injection?

There is no fixed version for transformers.

[0,)

Deserialization of Untrusted Data

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing process of model files. An attacker can execute arbitrary code in the context of the current user by tricking a user into opening a malicious file or visiting a malicious page that triggers deserialization of untrusted data.

Note:

The report of this vulnerability was rejected by the package's maintainers. See the project's security policy for more information.

How to fix Deserialization of Untrusted Data?

There is no fixed version for transformers.

[0,)

Deserialization of Untrusted Data

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the megatron_gpt2 process. An attacker can achieve arbitrary code execution by tricking a user into opening a malicious file or visiting a crafted page that triggers deserialization of untrusted data.

Note:

The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information.

How to fix Deserialization of Untrusted Data?

There is no fixed version for transformers.

[0,)

Arbitrary Code Injection

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Arbitrary Code Injection via the convert_config function. An attacker can execute arbitrary code by supplying a crafted checkpoint file that is processed without proper validation.

Note:

The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information.

How to fix Arbitrary Code Injection?

There is no fixed version for transformers.

[0,)

Deserialization of Untrusted Data

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the parsing of checkpoints. An attacker can achieve arbitrary code execution by tricking a user into opening a malicious checkpoint file.

Note:

The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information.

How to fix Deserialization of Untrusted Data?

There is no fixed version for transformers.

[0,)

Deserialization of Untrusted Data

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing of weights. An attacker can execute arbitrary code by tricking a user into visiting a malicious page or opening a malicious file that triggers deserialization of untrusted data.

Note:

The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information.

How to fix Deserialization of Untrusted Data?

There is no fixed version for transformers.

[0,)

transformers@5.6.0

Transformers: the model-definition framework for state-of-the-art machine learning models in text, vision, audio, and multimodal models, for both inference and training.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically